b'             September 11, 2002\n\n             MEMORANDUM\n\n             FOR:             M/AS, Roberto J. Miranda\n\n             FROM:            IG/A/ITSA, Melinda G. Dempsey /s/\n\n             SUBJECT:         Risk Assessment of Major Functions Within the Information\n                              and Records Division of the Office of Administrative\n                              Services, Bureau for Management\n                              (Report No. A-000-02-003-S)\n\n             This memorandum is our report on the subject risk assessment. Although\n             this is not an audit report, this report contains suggestions for your\n             consideration. We have reviewed your comments, and they are included as\n             Appendix II. I appreciate the cooperation and courtesy extended to my staff\n             during the risk assessment.\n\n\nBackground   The Office of Administrative Services, Bureau for Management, (M/AS)\n             provides logistical support services and administrative services worldwide\n             and is responsible for functions costing approximately $40 million annually.\n             It is comprised of the Office of the Director1 and four divisions:\n\n             \xe2\x80\xa2   Consolidation, Property and Services Division,2\n             \xe2\x80\xa2   Information and Records Division,\n             \xe2\x80\xa2   Overseas Management Support Division,3 and\n             \xe2\x80\xa2   Travel and Transportation Division.4\n\n             During the past decade, the Office of Inspector General has performed few\n             audits of the Office of Administrative Services\xe2\x80\x99 functions. In addition, the\n             Office of Administrative Services has received limited external reviews and\n             evaluations from other sources. Given the lack of external independent\n\n             1\n               See risk assessment Report No. A-000-02-001-S.\n             2\n               See risk assessment Report No. A-000-02-002-S.\n             3\n               See risk assessment Report No. A-000-02-004-S.\n             4\n               See risk assessment Report No. A-000-02-005-S.\n                                                                                   Page 1 of 11\n\x0creviews, including audits, we performed risk assessments of the major\nfunctions of the Information and Records Division of the Office of\nAdministrative Services.\n\nThe General Accounting Office\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the\nFederal Government\xe2\x80\x9d (November 1999) note that internal controls should\nprovide reasonable assurance that agency objectives are being achieved,\noperations are effective and efficient, assets are safeguarded against loss, and\nthat transactions are properly recorded. Internal controls consist of the\nfollowing five interrelated components. These components are the minimum\nlevel for internal control and provide the basis against which internal control\nis to be evaluated.\n\n1. Management and employees should establish and maintain a control\n   environment throughout the agency that sets a positive and supportive\n   attitude toward internal control and conscientious management.\n2. Internal control should provide for a risk assessment of the risks the\n   agency faces from both external and internal sources.\n3. Internal control activities should be effective and efficient in\n   accomplishing the agency\xe2\x80\x99s control objectives and help ensure that\n   management\xe2\x80\x99s directives are carried out.\n4. Information should be recorded and communicated to management and\n   others within the agency who need it and in a form and within a time\n   frame that enables them to carry out their internal control and other\n   responsibilities.\n5. Internal control monitoring should assess the quality of performance over\n   time and ensure that the findings of audits and other reviews are\n   promptly resolved.\n\nThis review focused on the second component\xe2\x80\x94risk assessment. The GAO\nStandards note that the specific risk analysis methodology used can vary\nbecause of differences in agencies\xe2\x80\x99 missions and the difficulty in\nqualitatively and quantitatively assigning risk levels. This review assigned a\nrisk exposure of high, moderate, or low for each major function. A higher\nrisk exposure simply indicates that the particular function is more vulnerable\nto its program objectives not being achieved or irregularities occurring.\nAppendix I describes in detail our risk assessment scope and methodology.\n\n\n\n\n                                                                        Page 2 of 11\n\x0cDiscussion   The Information and Records Division of the Office of Administrative\n             Services, Bureau for Management, (M/AS) is responsible for the\n             following four major functions.5 Our assessments of the risk exposure for\n             each of these major functions are described below.\n\n                             Function Description                                Risk Exposure\n                 Agency directives\xe2\x80\x94Format, distribution, and\n                 clearance of Automated Directives System\n                 (ADS)                                                      Moderate\n                                         Risk Assessment Factors\n                 \xe2\x80\xa2 During fiscal year 2001, two contracts to perform this activity\n                     incurred obligations of $514,000 and $413,000. Only $65,000 of the\n                     $514,000 is for production of ADS CD ROMs with the rest going to\n                     other records management activities. The second is for document\n                     preparation, web page development and maintenance, and\n                     administrative support.\n                 \xe2\x80\xa2 No independent review of the ADS function has been conducted\n                     since at least October 1996.\n                 \xe2\x80\xa2 The cognizant technical officer for the $514,000 contract (CD\n                     ROMs) is from another bureau.\n                 \xe2\x80\xa2 Some ADS are out-of-date in content and/or format. Causes include\n                     USAID bureaus\xe2\x80\x99 lack of support and low priority. Bureaus are\n                     requested to annually certify if their ADS policies and procedures\n                     are current. However, the response certifications are not tabulated\n                     and limited followed-up is conducted.\n\n\n\n\n             5\n               Our risk assessments only covered major functions. In addition to the major functions\n             described in this report, the Information and Records Division also is responsible for\n             archiving of records, correspondence management, forms and report management program,\n             review and submittal of Federal Register Notices.\n                                                                                                Page 3 of 11\n\x0c           Function Description                         Risk Exposure\nDeclassification of records                                Moderate\n                        Risk Assessment Factors\n\xe2\x80\xa2 Function has limited dollar vulnerability.\n\xe2\x80\xa2 Declassification team consists of five staff of retired annuitants.\n\xe2\x80\xa2 Declassification can be highly sensitive.\n\xe2\x80\xa2 No internal quality control review process is in place.\n\xe2\x80\xa2 Initial review of high priority documents has been completed, now\n   reviewing remaining documents in sequential order.\n\xe2\x80\xa2 Executive order 13142 requires declassification of all records prior\n   to 1978 (25 years old) by 2003. The status of USAID\xe2\x80\x99s\n   declassification is early-1970s documents. Despite expectations of\n   meeting deadline requirements, effective measurement of progress is\n   limited because universe of documents yet to be declassified is\n   unknown.\n\xe2\x80\xa2 USAID has agreements with other federal agencies to review and\n   declassify documents pertaining to USAID. Certain categories of\n   these documents are referred to the USAID declassification team.\n\xe2\x80\xa2 Database for tracking document declassification was instituted in\n   May 2001 but will require a substantial amount of time to\n   \xe2\x80\x9ccatch-up\xe2\x80\x9d.\n\xe2\x80\xa2 Space in the declassification area is cramped.\n\n\n            Function Description                       Risk Exposure\nFOIA and PA\xe2\x80\x94Processing of Freedom of\nInformation Act (FOIA) and Privacy Act\n(PA) requests for information                             Moderate\n                        Risk Assessment Factors\n\xe2\x80\xa2 Function has limited dollar vulnerability.\n\xe2\x80\xa2 The greater risk is associated with releasing too much information.\n\xe2\x80\xa2 No internal reviews have been conducted since at least 1992.\n\xe2\x80\xa2 FOIA attorney position has recently been filled by a retired annuitant\n    after being vacant for over one year.\n\xe2\x80\xa2 Despite several attempts, FOIA analyst position has been vacant for\n    approximately one year.\n\xe2\x80\xa2 Current (Microsoft Access) database used to track FOIA requests is\n    of limited usefulness. Software designed specifically for FOIA\n    activity has recently been purchased and is being implemented.\n\xe2\x80\xa2 Despite several attempted updates, the inventory of the Agency\xe2\x80\x99s\n    \xe2\x80\x9cSystem of Records\xe2\x80\x9d has not been updated since 1975.\n\n\n\n\n                                                                 Page 4 of 11\n\x0c            Function Description                        Risk Exposure\nVital records management                                     High\n                        Risk Assessment Factors\n\xe2\x80\xa2 Vital records management is receiving increased attention since the\n   recent attacks on government installations.\n\xe2\x80\xa2 The management of the vital records function is carried out by one\n   staff person who has been in that role since 1997 and is expected to\n   spend 50 percent of her time on vital records.\n\xe2\x80\xa2 The U.S. storage of vital records is carried out by one contractor.\n   USAID missions arrange for their own storage.\n\xe2\x80\xa2 The identification part of the function is carried out by bureaus and\n   missions using guidance from the Information and Records Division\n   vital records officer. This same vital records officer provides\n   training and assistance to bureaus and missions.\n\xe2\x80\xa2 In response to a general notice, several bureaus (4 of 12) and most\n   missions (61 of 69) have not reported their most recent status to the\n   Information and Records Division in identifying their vital records\n   and/or file plans.\n\xe2\x80\xa2 No oversight mechanism exists for reporting the bureaus and\n   missions\xe2\x80\x99 status in (not) meeting vital records requirements.\n\xe2\x80\xa2 No recent internal reviews of the vital records function.\n\xe2\x80\xa2 Unnecessary effort could be avoided if a single database were used\n   for incorporating vital records within the file plans.\n\n\n\n\n                                                                  Page 5 of 11\n\x0cConclusion   Our risk assessments of the Information and Records Division of the Office of\n             Administrative Services, Bureau for Management, (M/AS) covered four\n             functions and reached the following conclusions.\n\n                                                                  Risk Exposure\n                       Function Description                   High    Moderate         Low\n               Agency directives\xe2\x80\x94Format, distribution,\n               and clearance of Automated Directives                       !\n               System (ADS)\n               Declassification of records\n                                                                           !\n               FOIA and PA\xe2\x80\x94Processing of Freedom of\n               Information Act (FOIA) and Privacy Act                      !\n               (PA) requests for information\n               Vital records management\n                                                               !\n             Based on these assessments, we suggest that the Office of Administrative\n             Services focus its efforts to mitigate the higher risk associated with the\n             function of vital records management. Specifically for the vital records\n             management function, we suggest that the Office:\n\n                \xe2\x80\xa2   identify and report to USAID management those missions and bureaus\n                    that have not provided their vital records plans and upgrade the general\n                    notice to the Administrator level.\n\n             Beyond this high-risk function, we suggest that the Office of\n             Administrative Services institute the following improvements:\n\n                \xe2\x80\xa2   in regard to the agency directives function, track, follow-up, and\n                    report to management the status of ADS response certifications\n                    from bureaus,\n                \xe2\x80\xa2   in regard to declassification of records, intensify efforts to ensure\n                    that the database to measure declassification status is current, and\n                \xe2\x80\xa2   in regard to the FOIA and PA function, (1) update the inventory of\n                    the Agency\xe2\x80\x99s \xe2\x80\x9cSystem of Records\xe2\x80\x9d and (2) complete the\n                    implementation of a new database for tracking FOIA and PA\n                    requests.\n\n             Both Information and Records Division and Office of Administrative\n             Services management agreed with our risk assessments and our suggested\n             courses of action. The Office of Administrative Services noted in their\n             comments on the draft report (see Appendix II) several specific actions\n             that that they have pursued to respond to our suggested courses of action.\n\n                                                                                  Page 6 of 11\n\x0c                                                                                       Appendix I\n\n\nScope and     Scope\nMethodology\n              The Office of Inspector General, Information Technology and Special\n              Audits Division, conducted a risk assessment of major functions within the\n              Information and Records Division of the Office of Administrative Services,\n              Bureau for Management (M/AS). This risk assessment was not an audit.\n              The risk assessment covered operations principally for fiscal year 2001. The\n              risk assessment was conducted at USAID headquarters in Washington, D.C.\n              from October 12, 2001 to February 14, 2002.\n\n              Our risk assessments of the Information and Records Division\xe2\x80\x99s major\n              functions have the following limitations in their application.\n\n              \xe2\x80\xa2   First, we assessed risk at the major function level only, not at the\n                  Division or Office level.\n              \xe2\x80\xa2   Second, we assessed risk only. Our risk assessments were not sufficient\n                  to make definitive determinations of the effectiveness of internal controls\n                  for major functions. Consequently, we did not generally (a) assess the\n                  adequacy of internal control design, (b) determine if controls were\n                  properly implemented, and (c) determine if transactions were properly\n                  documented. If we were able to make these types of determinations\n                  within the scope of our work, we reported on them accordingly as part of\n                  our risk exposure assessments.\n              \xe2\x80\xa2   Third, higher risk exposure assessments are not definitive indicators that\n                  program objectives were not being achieved or that irregularities were\n                  occurring. A higher risk exposure simply indicates that the particular\n                  function is more vulnerable to such events.\n              \xe2\x80\xa2   Fourth, risk exposure assessments, in isolation, are not an indicator of\n                  management capability due to the fact that risk assessments consider\n                  both internal and external factors, some being outside the span of control\n                  of management.\n              \xe2\x80\xa2   Fifth, comparison of risk exposure assessments between organizational\n                  units is of limited usefulness due to the fact that risk assessments\n                  consider both internal and external factors, some being outside the span\n                  of control of management.\n\n              Methodology\n\n              We interviewed officials as well as reviewed related documentation of major\n              functions performed by the Information and Records Division. These\n              documents covered background, organization, management, budget,\n              relevant laws and regulations, staffing responsibilities, prior reviews,\n              internal controls, and risks (i.e., vulnerabilities). Our tests of\n              documentation were limited and judgmental in nature and conducted\n              principally to confirm oral attestations of management.\n\n\n                                                                                      Page 7 of 11\n\x0cWe identified the Division\xe2\x80\x99s major functions using the input of the Division\nDirector and based on the significance and sensitivity of each major function.\nWe determined risk exposure for all major functions in each division, e.g., the\nlikelihood of significant abuse, illegal acts, and/or misuse of resources, failure\nto achieve program objectives, and noncompliance with laws, regulations and\nmanagement policies. We assessed overall risk as high, moderate, or low. A\nhigher risk exposure simply indicates that the particular function is more\nvulnerable to its program objectives not being achieved or that irregularities\nwere occurring. We considered the following key steps in assessing risk:\n\n(a)    determined significance and sensitivity;\n(b)    evaluated susceptibility of failure to attain program goals,\n       noncompliance with laws and regulations, inaccurate reporting, or\n       illegal or inappropriate use of assets or resources;\n(c)    were alert to "red" flags such as a history of improper administration\n       or material weaknesses identified in prior audits/internal control\n       assessments, poorly defined and documented internal control\n       procedures, or high rate of personnel turnover;\n(d)    considered management support and the control environment;\n(e)    considered competence and adequacy of number of personnel;\n(f)    identified and understand relevant internal controls, and\n(g)    determined what is already known about internal control effectiveness.\n\nThese risk assessments were not sufficient to make definitive determinations\nof the effectiveness of internal controls for major functions. As part of the\nreview methodology, we did (a) identify, understand, and document (only as\nnecessary) relevant internal controls and (b) determine what was already\nknown about the effectiveness of internal controls. However, we did not\ngenerally (a) assess the adequacy of internal control design, (b) determine if\ncontrols were properly implemented, nor (c) determine if transactions were\nproperly documented. In some cases, we were able to make these assessments\nand reported on them accordingly as part our risk exposure assessments.\n\n\n\n\n                                                                       Page 8 of 11\n\x0c                                                                    Appendix II\n\n\nManagement\nComments\n\n\n\n\n                                                   April 15, 2002\n\n\n\n\n             MEMORANDUM\n\n             TO:          Melinda Dempsey, IG/A/ITSA\n\n             FROM:        Roberto J. Miranda, M/AS/OD\n\n             SUBJECT:   Risk Assessment of Major Functions Within the\n                        Information and Records Division of the Office\n                        of Administrative Services\n                        (Report No. A-000-02-xxx-S)\n\n\n                  The Information and Records Division (IRD) has no\n             objections to the designated Risk Exposure ratings and\n             recommended improvements of the four IRD programs (ADS,\n             Systematic Declassification, FOIA/PA, and Vital Records)\n             reviewed by OIG.\n\n                  Identify and report to USAID management those\n             missions and bureaus that have not provided their vital\n             records plans and upgrade the general notice to the\n             Administrator level.\n\n                  IRD\'s premise is that while many USAID organizations\n             are sensitized to a need to capture Vital Records, they\n             may not adequately understand the program and their roles\n             in the program. To rectify this problem, IRD held 6\n             Vital Records Workshops in 2001 and provided many\n             individual briefings to USAID/W offices. A briefing on\n             the Vital Records Program will be given at the upcoming\n             2002 EXO Conference. M/AS Overseas Management Support\n             Division has been holding focus group meetings with many\n             USAID/W offices. One of the major goals of the focus\n             meetings is to help the participants define their vital\n             functions - the first major step in developing a Vital\n             Records package.\n\n                                                                    Page 9 of 11\n\x0c     IRD is taking actions on other fronts that will\nimpact the development of Vital Records packages in\nWashington.\n\n     Based on increased awareness by the missions and\nbureaus, IRD expects the 2002 reporting compliance rate\nto be higher than previous years.\n\n     In regard to the Agency directives function, track\nand follow-up the status of ADS response certifications\nfrom bureaus.\n\n     The Automated Directives System (ADS) includes ADS\npolicy and procedural chapters, active portions of the\nold USAID Handbooks, Agency Policy Notices, and\napplicable internal and external references.\n\n     The IRD contractor provides a monthly report on the\nstatus of the ADS chapters. Every year, as required by\nADS 501.3.7 (Automated Directives System [ADS] - Annual\nADS Certification), IRD and its contractor conduct a\ncertification review of the ADS chapters. Cognizant\nDirectors responsible for ADS materials are required to\ncertify that the contents of their chapters are current.\nIf the chapters are not current, they are asked to\nprovide a timeline outlining the planned revisions. If\nthe Directors/Division Chiefs do not respond to the\ncertification requests, IRD makes two one-on-one follow-\nups: one with the Directors/Division Chief and one with\nthe official above the Director/Division Chief. During\nthe upcoming certification process, IRD intends to\ncontinue this established protocol. However, in line\nwith OIG\'s recommendation, IRD will report the non-\nresponding offices to upper management within the Bureau\nfor Management.\n\n     In regard to declassification of records, intensify\nefforts to ensure that the database to measure\ndeclassification status is current.\n\n     The development of our Declassification Program\ndatabase capabilities is well underway and there is no\nbacklog of data to be entered into the system.\n\n     In regard to the Privacy Act function, update the\ninventory of the Agency\'s "Systems of Records"\n\n\n                                                 Page 10 of 11\n\x0c     The Agency\'s inventory of its Privacy Act (PA)\nSystems of Records is outdated. IRD has not had the\nnecessary manpower resources to correct this inadequacy.\n\n     While IRD does intend to update this inventory, it\nmust be noted that that process may take 18 to 24 months\nto complete. IRD\'s limited direct-hire resources will\nrestrict our efforts. The speed in which this task can\nbe accomplished will be dependent upon the cooperation of\nthe systems\' owners. Depending upon the changes that\nmust be made to a system\'s descriptions, 30- to 60-day\nnotifications must be sent to the Federal Register and\nsometimes to OMB.\n\n     In regard to the Freedom of Information Act (FOIA)\nand Privacy Act (PA) functions, complete the\nimplementation of a new database for tracking requests.\n\n     IRD currently has a simple ACCESS-based tracking\ndatabase for its FOIA and PA requests. The compilation\nof that data for this very complex report is cumbersome\nand time-consuming.\n\n               IRD has purchased a FOIA tracking, on-line\n               redaction, and reporting COS software\n               program. This program is being tailored\n               to reflect our unique organizational\n               makeup and processing methods. Training\n               will be provided to the USAID Systems\n               Administrator and the FOIA Specialists.\n               These tasks are scheduled to be completed\n               by June 31, 2002.\n\n     In closing, M/AS/OD appreciates the professional\nassistance, courtesy and help of the IG staff,\nparticularly as we work to implement your\nrecommendations.\n\n\n\n\n                                                 Page 11 of 11\n\x0c'